Every quarter we sit down with the security desk and write the talk we wish we didn't have to keep giving. The shape of the talk hasn't changed much: email is still where most incidents start, MFA is still the single biggest move you can make, and the people most likely to click are the ones who are the most generous with their time.

What did change this year is the writing. Phishing emails read like they were edited by an actual human now — because they were, or because the model that wrote them is good enough that you can't tell. We've stopped training people to look for grammar mistakes. That tell is gone. The new tells are subtler: urgency, an unexpected channel, a request that wouldn't make sense if you stopped and asked someone next to you.

Our recommendation is the same as it's always been, just enforced more carefully: MFA on everything, password manager for everyone (yes, including the founder), and a five-second pause on any request involving money or credentials. The pause is the actual control. The technology is just there to give the pause a chance to work.

" The grammar finally got good. Treat that as the new baseline, not a warning sign you can rely on.

— Your Tech Department, March 2026